I added an Appendix on Software Supply Chain Security for Containers in CNCF TAG-Security's whitepaper:
https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#appendix-i---containers
https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/sscsp.md#appendix-i---containers